Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c064b8ea authored by Laurent Pinchart's avatar Laurent Pinchart Committed by Mauro Carvalho Chehab
Browse files

[media] v4l: Don't access media entity after is has been destroyed 



Entities associated with video device nodes are unregistered in
video_unregister_device(). This destroys the entity even though it can
still be accessed through open video device nodes.

Move the media_device_unregister_entity() call from
video_unregister_device() to v4l2_device_release() to ensure that the
entity isn't unregistered until the last reference to the video device
is released.

Also remove the media_entity_get()/put() calls from v4l2-dev.c. Those
functions were designed for subdevs, to avoid a parent module from being
removed while still accessible through board code. They're not currently
needed for video device nodes, and will oops when a hotpluggable device
is disconnected during streaming, as media_entity_put() called in
v4l2_device_release() tries to access entity->parent->dev->driver which
is set to NULL when the device is disconnected.

Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: default avatarSakari Ailus <sakari.ailus@iki.fi>
Acked-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent ca4186f0

drivers/media/video/v4l2-dev.c

+7 −32
Original line number Diff line number Diff line
@@ -167,6 +167,12 @@ static void v4l2_device_release(struct device *cd) 


	mutex_unlock(&videodev_lock);



#if defined(CONFIG_MEDIA_CONTROLLER)

	if (vdev->v4l2_dev && vdev->v4l2_dev->mdev &&

	    vdev->vfl_type != VFL_TYPE_SUBDEV)

		media_device_unregister_entity(&vdev->entity);

#endif



	/* Release video_device and perform other

	   cleanups as needed. */

	vdev->release(vdev);
@@ -389,9 +395,6 @@ static int v4l2_mmap(struct file *filp, struct vm_area_struct *vm) 
static int v4l2_open(struct inode *inode, struct file *filp)

{

	struct video_device *vdev;

#if defined(CONFIG_MEDIA_CONTROLLER)

	struct media_entity *entity = NULL;

#endif

	int ret = 0;



	/* Check if the video device is available */
@@ -405,17 +408,6 @@ static int v4l2_open(struct inode *inode, struct file *filp) 
	/* and increase the device refcount */

	video_get(vdev);

	mutex_unlock(&videodev_lock);

#if defined(CONFIG_MEDIA_CONTROLLER)

	if (vdev->v4l2_dev && vdev->v4l2_dev->mdev &&

	    vdev->vfl_type != VFL_TYPE_SUBDEV) {

		entity = media_entity_get(&vdev->entity);

		if (!entity) {

			ret = -EBUSY;

			video_put(vdev);

			return ret;

		}

	}

#endif

	if (vdev->fops->open) {

		if (vdev->lock && mutex_lock_interruptible(vdev->lock)) {

			ret = -ERESTARTSYS;
@@ -431,14 +423,8 @@ static int v4l2_open(struct inode *inode, struct file *filp) 


err:

	/* decrease the refcount in case of an error */

	if (ret) {

#if defined(CONFIG_MEDIA_CONTROLLER)

		if (vdev->v4l2_dev && vdev->v4l2_dev->mdev &&

		    vdev->vfl_type != VFL_TYPE_SUBDEV)

			media_entity_put(entity);

#endif

	if (ret)

		video_put(vdev);

	}

	return ret;

}
@@ -455,11 +441,6 @@ static int v4l2_release(struct inode *inode, struct file *filp) 
		if (vdev->lock)

			mutex_unlock(vdev->lock);

	}

#if defined(CONFIG_MEDIA_CONTROLLER)

	if (vdev->v4l2_dev && vdev->v4l2_dev->mdev &&

	    vdev->vfl_type != VFL_TYPE_SUBDEV)

		media_entity_put(&vdev->entity);

#endif

	/* decrease the refcount unconditionally since the release()

	   return value is ignored. */

	video_put(vdev);
@@ -754,12 +735,6 @@ void video_unregister_device(struct video_device *vdev) 
	if (!vdev || !video_is_registered(vdev))

		return;



#if defined(CONFIG_MEDIA_CONTROLLER)

	if (vdev->v4l2_dev && vdev->v4l2_dev->mdev &&

	    vdev->vfl_type != VFL_TYPE_SUBDEV)

		media_device_unregister_entity(&vdev->entity);

#endif



	mutex_lock(&videodev_lock);

	/* This must be in a critical section to prevent a race with v4l2_open.

	 * Once this bit has been cleared video_get may never be called again.